Why Hackers Love Cryptocurrency Miner Coinhive

Cryptocurrency miner Coinhive is becoming a hacking tool for cybercriminals, according to security researchers.

A brilliant idea to monetize internet traffic appears to be running amok.

You may have encountered it. Computer code that has found its way into tens of thousands of websites secretly siphons CPU processing power to mine a digital currency called Monero.

The code's developer, Coinhive, rakes in the dough, but some security researchers claim it's a form of malware, and say the code is lining the pockets of hackers, too. "It's becoming a new revenue stream for cybercriminals," said Troy Mursch, an independent security researcher.

The Rise of Coinhive

Coinhive first released its cryptocurrency miner in September as a novel way for websites to generate revenue. Once embedded into a website, the code mines the digital currency Monero by borrowing visitors' CPU processing power. The more visitors, the more money earned. Site owners take a 70 percent share, while Coinhive grabs the rest.

That may sound great, but there's one big problem: the Coinhive code often doesn't tell website visitors that any mining is taking place. It can simply borrow CPU processing power via the browser, without any warning.

One of Coinhive's earliest adopters was The Pirate Bay, a site that already has a rather notorious reputation. In September, visitors to the site noticed it was hogging CPU resources, prompting complaints. As TorrentFreak reports, The Pirate Bay said it was just briefly testing the technology, but a month later, the site was again mining cryptocurrency through an ad script, with no way to opt out.

Mursch found the crypto miner in over 30,000 random sites, many of which don't appear to be using the Coinhive code deliberately. Among them was PolitiFact, a fact-checking service which briefly hosted the Coinhive code in October because its site was hacked.

Mursch also found several instances where a single Coinhive account holder placed the crypto miner on dozens of unrelated sites—a telltale sign that the sites were actually hijacked by a hacker to host the code.

What does a Christian academy, association of doctors, a reality show, and an electrical union have in common?

That's right, they all share #Coinhive site key f1rnt9Doh9J6Ty9k8qyjickmhZQYklaq!

A Lucrative Business

Anyone can go to the Coinhive site and sign up for an account by providing a valid email address. In return, they'll receive access to the Javascript code for the crypto miner, which can be easily embedded into a website.

Coinhive claims it never intended for its miner to be abused. However, the developers have so far refused to reveal their identities. "There's no 'big reveal' here, no 'Snapchat CTO now running Coinhive' headline to be made," the developers joked in an email to PCMag.

The developers say they are a "bunch of friends," who've done various web projects over the years. Originally, Coinhive's website featured an About Us section that said its crypto miner "grew out of an experiment" on a German image board at pr0gramm.com, but that section has since been removed.

Although the developers aren't saying how much money they've made from their idea, online ad-blocking service AdGuard also found the Coinhive miner on over 30,000 sites and estimates the code generates $150,000 in Monero every month. For Coinhive, which takes a 30 percent cut, that amounts to $540,000 per year.

Mursch suggested Coinhive may be making more, possibly between $3.7 million and $5 million per year, even after a 30 percent cut. He bases the figure on Coinhive's own blog post from September, which gave a glimpse at how much Monero it was mining.

Conversely, any hackers using the miner will be raking in revenue, too. But the developers maintain they are cracking down on abusers.

"So far we have banned 67 accounts for violating our terms of service—in most cases for installing the miner on hacked websites," Coinhive said in an email. "The rate of these reports seemed to have slowed down now as offenders have realized that they will not get any money from us."

A Growing Security Issue

How does this affect consumers? Prolonged mining in the background of your browser can lead to a slight bump in your electric bill (not to mention kick the fan in your PC into high gear). Researchers at security firm Trustwave found that a computer running the Coinhive miner for 24 hours could end up costing a US user an extra 10 to 18 cents on their electric bill, or between $2.90 to $5 per month. That can add up over time.

Antivirus and ad-blocking vendors are taking note. Last month, Malwarebytes blocked 248 million attempts by the miner to borrow PC resources from company users. "Coinhive has created this new business model for both good and bad," said Jerome Segura, a Malwarebytes security researcher. "Unfortunately, the bad has been overwhelming."

To be sure, there are legitimate sites using Coinhive, although they tend to offer content like pirated media or porn. Many of the hacked sites found with Coinhive are also not major internet destinations. They're often small sites run by companies or owners with little to no IT budgets, making them easy targets, according to Segura.

However, the worry is that the "cryptojacking" will only grow more rampant over time. Segura has found instances where hackers try to hide Coinhive code inside compromised websites so site owners can't easily find it. He predicts the cryptojacking may migrate to mobile apps.

Mursch, on the other hand, continues to help uncover new sites running Coinhive's code. On Monday, he tweeted about the miner mysteriously running on government websites from the Republic of Moldova.

In response to all the complaints, Coinhive last month released a new miner that first asks users for permission to borrow the CPU resources. But security researchers say that miner has failed to attract the same following, particularly since Coinhive still offers the old miner.

"They know they are offering two options for a reason," said privacy expert Christopher Dore, a lawyer at Edelson PC. "If they wanted this to be all legitimate, they'd remove the older version."

Coinhive hasn't commented on why it continues to offer the old miner. But even if the developers were to shut it down, there are many other copycat services available on the internet. Any hacker could easily use those too, Mursch said.